Build the Next-Generation Data Center
6 week online course starting in spring 2017

EIGRP load balancing based on interface load

EIGRP computes its composite metric from five parameters, one of them being interface load, therefore raising the theoretical possibility of having route metrics that include interface load. However, tweaking EIGRP K-values with the metric weights command to include interface load in metric calculations is highly discouraged - every change in interface load could lead to network instability. Even worse, whenever an interface load would increase, the increased composite metric of the afftected routes in EIGRP topology table would cause them to enter active state (and the router to start the DUAL algorithm trying to find more optimum paths toward the destination).

To make the whole idea even more impractical, EIGRP does not scan the interface load (and other parameters influencing the metric) on periodical basis, but only when triggered by a change in network topology (for example, interface or neighbor up/down even).

Note: this article is part of You've asked for it series.

Practice EIGRP configuration in MPLS VPN environment

If you would like to test how EIGRP works within an MPLS VPN, you can do that in our remote labs. If you have partner-level Cisco Connection Online access, you can do it free of charge:

If you're note working for a Cisco partner, you can buy the whole set of MPLS remote labs from NIL Data Communications.

More command works as hex dump if needed

The more command display the specified file as a hex dump if the contents don't look like a text file. In my example, it didn't like the CR/LF pairs in the Autorun.inf file written on an USB token by a Windows PC, but you could also dump an IOS image or a tar archive used by SDM (or other web-based applications). To force the display format, use the /ascii, /binary or /ebcdic (for IBM/SNA gurus) parameters. Cool feature ... IOS is obviously full of hidden gems :)

router#more usbflash1:Autorun.inf
00000000: 5B617574 6F72756E 5D0D0A6F 70656E3D [aut orun ]..o pen=
00000010: 496E7374 616C6C65 722E6578 650D0A69 Inst alle r.ex e..i
00000020: 636F6E3D 496E7374 616C6C65 722E6578 con= Inst alle r.ex
00000030: 650D0A41 6374696F 6E3D4C61 756E6368 e..A ctio n=La unch
00000040: 20496E73 74616C6C 65722066 6F722047 Ins tall er f or G
00000050: 6F6F676C 65204170 706C6963 6174696F oogl e Ap plic atio

Execute show commands while configuring a router

I've always wanted to be able to execute a show command while configuring a router (I'm never good at remembering subinterface numbers). A while ago Cisco introduced the do configuration command that allows you to execute any exec-level command (including telnetting to another device) without leaving the current configuration mode.For example, to view the interface numbers while trying to configure an interface, use the do show ip interface brief command:

router(config-if)#do show ip interfaces brief
Interface IP-Address OK? Method Status Protocol
FastEthernet0/0 YES manual administratively down down
FastEthernet0/1 unassigned YES unset administratively down down
Serial0/0/0 unassigned YES manual up up
Serial0/0/0.101 YES manual up up
Serial0/1/0 unassigned YES unset administratively down down
Serial0/1/1 unassigned YES TFTP administratively down down
Loopback0 YES manual up up

One-time passwords on Cisco routers

Cisco routers preconfigured for SDM have default username/password cisco/cisco. As many users forget to disable or change the default username after configuring their router with SDM, they could end up with an exposed router.

Cisco has patched this vulnerability in IOS release 12.4(11)T that includes the one-time password/secret option of the username command, allowing you to define a username/password combination that can be used only once.For example, the username cisco one-time secret cisco would define the default username that can be used only for single access to the router. After the first login, the username disappears from the running configuration and thus cannot be reused.

There are, however, two caveats associated with this feature:

  • If you log into the router using any other username, the one-time username remains valid (it's not removed on the first successful login to the box, which would make more sense in the SDM context);
  • The one-time username is removed only from the running configuration, if you don't save the new configuration to the NVRAM, the username will reappear after the router reload.

Where does the Tcl output go?

You might have wondered what happens with output produced by Tcl procedures (for example, with the puts command) when you use Tcl in Embedded Event Manager (EEM) or Embedded Syslog Manager (ESM). If the Tcl procedure executes in context of a line (console or virtual terminal), the output is sent straight to the attached line, otherwise it's processed by the logging manager (resulting in a syslog message).

There are two scenarios where Tcl would execute in context of a line: if you start a Tcl procedure with the tclsh command or if it's an EEM policy registered with the event_register_cli with sync parameter set to yes.

Improve your hands-on PIX and ASA configuration skills

If you're not deploying Cisco firewalls on a regular basis, you'd definitely benefit from going through Securing Networks with PIX and ASA (SNPA) remote lab exercises practicing common configuration tasks, from simple to pretty complex ones ... not to mention that SNPA is part of the Cisco Certified Security Professional (CCSP) certification.

If you have partner-level Cisco Connection Online access, you can get these labs free of charge:

  • Start Partner e-learning connection.
  • Select Lab central.
  • In the Cisco Career Certification Labs table, select CCSP.
  • Enter SNPA into keywords field, and perform search
If you're note working for a Cisco partner, you can buy these remote labs from NIL Data Communications.

Configure local authentication with AAA

This should be a no-brainer for anyone preparing for the CCIE lab exam (I'll not elaborate why, but you could guess), but here it is for the benefits of everyone else: if you want to enable AAA on Cisco IOS but still retain local usernames (at least for the console access), this is how you do it:

  • Define local usernames with username xxx password yyy command (I would prefer the secret option if your IOS supports it).
  • Configure aaa new-model.
  • Configure a named AAA authentication list with the aaa authentication login MyList local.
  • Attach the named AAA authentication list to the console line with the login authentication MyList command.
If you want to use the local usernames only as a fallback mechanism in case the AAA servers fail or become unreachable, you could use the aaa authentication login MyList group [radius|tacacs+|name] local command.

Note: this article is part of You've asked for it series.

Local usernames with no password

There are two ways you can configure local usernames without a password:

  • By using the username user command without the password option, you create a username that has a blank password (the operator has to press ENTER at the Password: prompt)
  • With the username user nopassword command, you create a user where the operator will not be prompted for the password at all.
Hopefully, you would use such usernames only with the autocommand option to give guest users a short overview of the router's operation (for example, display the interface status).

Note: this article is part of You've asked for it series.

One-line extended ping

Hard-core IOS oldtimers could probably remember the sequence of parameters in the extended IP ping dialog even when woken up in the middle of the night. However, another venerable tradition has been made obsolete in one of the IOS 12.x releases: the ping command now accepts parameters like data, repeat, size, timeout or source.

For example, to send 500 long pings with data pattern 0000 to, you could use the ping ip data 0000 repeat 500 size 18000 validate command.

Running Tcl procedures from command line

Starting in IOS release 12.3(2)T, Tcl shell is accessible from the command line interface with the tclsh command. After entering this command, you get the Router(tcl)# prompt and can enter individual Tcl commands (the help is confusing, though - you get help on exec-mode commands, but none of them work).

What the documentation fails to tell you, though, is that you can specify a file name (actually an IFS URL) as the parameter to the tclsh command to execute the Tcl commands in that file. The file can be local (stored in flash or even NVRAM) or remote, in which case the router downloads the file and executes it.For example, if you store a simple helloWorld.tcl file ...

puts "hello world";
... on an external TFTP server and execute it with the tclsh tftp:// command, you'll get the "famous" printout:
Router#tclsh tftp://
Loading helloWorld.tcl from (via FastEthernet0/0): !
[OK - 20 bytes]
hello, world

An revised version of this article is available in the CT3 wiki.

You can find more Tclsh-related information in the Tclsh on Cisco IOS tutorial. Sample Tclsh scripts are available in the Tclsh script library. If you need expert help in planning, developing or deploying Tclsh scripts in your network, contact the author.

MPLS VPN half-duplex VRF works only on virtual template interface

IOS release 12.3(11)T introduced Half-duplex VRF, a great feature for those of us who have to implement hub-and-spoke VPN (the VPN where all traffic has to pass through the central site), but hate the configuration hassle associated with it. Unfortunately, the way this feature is implemented, you can only configure it on virtual access/template interface, making it useless in most access networks. Too bad ...

Executing a command upon user login

Cisco IOS long had the autocommand option by which you could attach any command to a username and have it execute after successful login. For example, username x autocommand show ip interface brief command would configure the router to display the interface status after someone would log in as user x.

After the autocommand is executed, the user is logged out and the session is disconnected, unless you configure the username user nohangup option, which causes the session to remain active, giving the operator another login prompt.

Display configuration of a single interface

Displaying configuration of a single interface can be a time-consuming task if your router has extremely long configuration (for example, high-end device with hundreds of interfaces, route-maps, access-lists etc.). In this case, the interface keyword of the show running-config command becomes extremely useful.For example, the show running-config interface serial 0/0.1 command displays only configuration of the specified interface (without building the whole running configuration)

POP#show running-config interface serial 0/0.1
Building configuration...

Current configuration : 154 bytes
interface Serial0/0.1 point-to-point
description *** Link to Core-1 ***
ip address
frame-relay interface-dlci 101
Note: the printout is taken from the Configuring BGP Route Reflectors remote lab.

EIGRP goodbye message

In IOS release 12.3(1.4), Cisco has added Goodbye message to EIGRP protocol. Previously, whenever the router would need to tear down EIGRP adjacency (for example, due to changed summary addresses), it would simply erase the neighbor from its EIGRP neighbor table and pretend the it's just encountered a new neighbor on the next hello message. As the adjacent device does not participate in this charade, it becomes confused resulting in delayed adjacency establishment. The whole process is described in details in my EIGRP book, which is unfortunately out-of-print for a few years and is available only as an on-line book on Safari.

With the Goodbye message, both neighbors tear down the adjacency in an orderly fashion and reestablish it immediately after receiving the EIGRP HELLO message.You can monitor the new EIGRP hello messages with the debug eigrp packet hello command, the Goodbye message also triggers a logging message if the EIGRP logging is enabled with the eigrp log-neighbor-changes command (default settings):

a1#debug eigrp packet hello
EIGRP Packets debugging is on
21:27:50: EIGRP: Received HELLO on Serial0/0/0.100 nbr
21:27:50: AS 1, Flags 0x0, Seq 0/0 idbQ 0/0 iidbQ un/rely 0/0 peerQ un/rely 0/0
21:27:50: Inteface goodbye received
21:27:50: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 1: Neighbor (Serial0/0/0.100) is down: Interface Goodbye received
21:27:54: EIGRP: Sending HELLO on Serial0/0/0.100
21:27:54: AS 1, Flags 0x0, Seq 0/0 idbQ 0/0 iidbQ un/rely 0/0
21:27:54: EIGRP: Received HELLO on Serial0/0/0.100 nbr
21:27:54: AS 1, Flags 0x0, Seq 0/0 idbQ 0/0
21:27:54: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 1: Neighbor (Serial0/0/0.100) is up: new adjacency

Can you disable the reload command?

Someone has recently asked an interesting question - can you disable the reload command? Although I would strongly discourage you from doing that (after all, every router I've ever worked on since a venerable MGS running IOS 10.0 had to be reloaded every now and then), here's what you can do:

  • define an alias for the reload command that does something else. For example, alias exec reload show ip interface brief. While this would remind a careless operator, it would still not prevent someone using an abbreviation like relo to reload the device.
  • Use TACACS+ command accounting and disable the reload command on the TACACS+ server. The benefit of this approach is that you can do it on user-by-user basis ... but of course you need TACACS+ server, RADIUS will not do.
  • Disable the reload command with the Embedded Event Manager applet.
The applet to disable the reload command would be similar to this one:
event manager applet NoReload
event cli pattern "reload" sync no skip yes
action 1.0 syslog priority errors msg "Cannot reload this router"
Note: this article is part of You've asked for it series.

Enhanced password security for local usernames

Cisco IOS long had the ability to define local users that could be used to authenticate incoming telnet sessions or dial-up connections (using PAP or CHAP). Until IOS release 12.3, the passwords assigned to local usernames were encrypted using the weak (type 7) reversible encryption. With crack tools widely available on the Internet, there's obviously almost no protection offered by this encryption type.

With IOS release 12.3, Cisco introduced enhanced password security and the new username user secret password command which uses strong (type 5) encryption, making local user passwords secure. Of course, such usernames cannot be used in scenarios where you need access to cleartext password (for example, CHAP authentication).

Stop extended ping or traceroute command

Every introductory Cisco course tells you that you can stop any IOS command (for example, ping or traceroute) with the Ctrl/^ (also written as ^^ or Ctrl-Shift-6) escape character. What they usually forget to tell you is how to do that on non-US-ASCII keyboards or with telnet programs that do not want to recognize weird control characters.

The trick is simple - if you cannot generate ^^ (ASCII code 30), change the escape character. You can change it for the current session with the terminal escape-character char exec-level command or permanently with the escape-character char line configuration command. For example, to set the escape character for the current session to ctrl-C, use terminal escape-character 3 command.

Note: this article is part of You've asked for it series.

Save the approximated date-and-time in NVRAM

In certificate-based IPSec deployments, the router has to establish an approximately valid date and time before it can use a certificate to establish IPSec session (as most certificates were issued after March 1st 2002, which is the default initial value, they are not valid until the router has acquired an approximately correct date-and-time).

This requirement is not a problem for most router models, as they have battery-backed hardware clock that continues running even when a router is reloaded or powered down. The low-end models, though, have a problem, as they always start with the default date/time after the reload. These devices have to get their time from an NTP/SNTP server before being able to establish the IPSec session. If the (S)NTP server is only accessible across the VPN, you have a nice chicken-and-egg problem.Cisco solved this problem in IOS release 12.3(2)T with the clock save interval hours configuration command. This command saves the NTP-acquired date and time in NVRAM every x hours (from 8 to 24 hours), making sure the router will have an approximated time that is good enough to get a valid certificate after the reload.

Where did the CBAC go?

I've got an interesting question a while ago: Do new Cisco routers still use CBAC?

Of course they do, it's just been renamed. The marketing department has decided that Context Based Access Control (CBAC) does not sound nearly so nice as the Cisco IOS Firewall. Even the command structure hasn't changed, you still use the ip inspect commands to configure it, unless, of course, you have IOS release 12.4(6)T or newer, where you can use zone-based policy firewall configuration.

This article is part of You've asked for it series.

Replacing configuration on a working router

In my IP Corner article Replacing Configuration on a Working Router, I'm describing how you can use the Configuration Replace and Configuration Rollback features of Cisco IOS to replace configuration you've managed to break with a working one. In the section Event-Driven Rollback, you'll also find Embedded Event Manager applets that emulate the Configuration Commit feature of IOS XR in IOS release 12.4.

Reload EEM Tcl policy with an EEM applet

Developing Embedded Event Manager (EEM) Tcl policies is "a bit" tedious task. Usually you would edit the source file on an external workstation, then you have to download it into the router (IOS will not read EEM policy from an external source), re-register it with EEM (when you register a policy it gets copied from the source file into system:lib/tcl/eem_registered_scripts directory) and test it. To automate this process, I've written a small EEM applet that does the tedious steps automatically.Configure the following EEM applet (replacing ep.tcl with your policy name and nvram: with your router storage device):

event manager applet LoadMyPolicy
event none
action 1.0 cli command "configure terminal"
action 1.1 cli command "no event manager policy ep.tcl"
action 1.2 cli command "file prompt quiet"
action 1.3 cli command "exit"
action 2.0 cli command "copy tftp:// nvram:ep.tcl"
action 3.0 cli command "configure terminal"
action 3.1 cli command "event manager policy ep.tcl"
action 3.2 cli command "exit"
Define an alias to start the load process with a simple command:
alias exec load event manager run LoadMyPolicy
Now you can use the newly-created exec-level load command to load and re-register your EEM policy.